A data security expert urges healthcare organizations to give a sweeping look at data security, using training and technology.
Cybercrime is an enormous issue in the healthcare industry. Protected health information (PHI) can be very valuable and a breach of data can carry with it financial and reputational costs for both healthcare organization and patients. An annual threat report from Symantec, a security software company, found that healthcare data breaches increased 22 percent from 2015 to 2016
With the acceleration of data breaches and deployment of new technology in healthcare, practices of all sizes need to stay on top of data security. Physicians Practice recently spoke with Ermis Sfakiyanudis, the president and CEO of Trivalent, a data protection software company, to find out how practices can avoid future breaches.
What is the biggest challenge healthcare organizations face when it comes to data security?
Ever since healthcare accepted mobility as part of its core offering, it's been tougher and tougher to get your arms around how data is being used and how it's being protected. The challenge that healthcare has is exacerbated by the fact that you're regulated and you have people's really personal, private information. Most healthcare organizations struggle with devices being brought in from the outside, information being taken outside the four walls of the practice or hospital. Home healthcare has increased that challenge.
In healthcare, which is the larger liability, employees or technology?
It's really a combination of both. You want to enable your workforce to provide the best service to the patients as possible. Giving them devices that allow them to not be restricted to a desk, but to get out and be where the patients are is a big trend. The challenge is they have to store the data somewhere. The devices [they are using] can then be lost or stolen. You take a device that has patient records on it and it's stolen or left at a coffee shop, then you have [a] serious HIPAA violation.
Is it a lack of training that leads to data breaches occurring?
Training and awareness is a critical piece of the equation. Making sure your staff understand that the data they have belongs to someone else, and that it's important they safeguard that data with the same care that they would their own. There's a technical aspect of training that goes along with that. The employees [need to] understand where the devices should [and should not] be, how to take care of them, how to not leave them on when they are at a coffee shop, or leave them in the car when they are not there. Those are all best practices that employees should be trained on.
What are your suggestions for healthcare organizations protecting their data?
There are all kinds of things [healthcare organizations] should be doing. Documenting who has devices, understanding which roles in the organization need what access to data, and employing technology that assumes devices will be stolen and breached. Healthcare organizations need to utilize technologies that change the property of the data so that it's unusable to an unauthorized user. Access control granted by role is common these days and should be part of your practice. This ensures that folks who need to have access to the data are allowed to have it, and folks that are not supposed to don't have the credentials to get to that data. For example, network administrators have access to the network at all times to keep it up and running, but they don't need access to the data itself.
Do you have personal experience with healthcare organization breaches?
Healthcare folks want to provide the best service to their patients, they will sometimes go outside of the policy to do that. Take things on a personal device or use text messages to transmit health information. We see a good bit of that, there's no ill intent, but they are not following the policy for the sake of expediency. That's where you're giving your folks the best technology to enable them to do their job, and providing strong training so they understand why the policies are in place.
What advice do you have to practices to ensure their data is protected?
Take a look at [data security] [comprehensively]. That's a challenge sometimes when you're looking at an organization. Make sure that you understand what your doctors are trying to accomplish in terms of services they are delivering to the patients and look at your technology as an enabler for that. When you look at your organization, say 'Ok are we going to be actually going out to the patient's sites? How much data are we collecting? Where does that data live?' Look at the organization from the top down and figure out the technology that best help you enable patient care. Then marry that with a training program that doesn't restrict that delivery of services, but actually enables and enhances it.